MiCA Level 2 RTS: Practical Compliance Steps for CASPs

ESMA published its first batch of final MiCA Level 2 technical standards in late 2024, with the CASP-specific RTS package covering authorization, conduct of business, and prudential requirements entering application alongside the full MiCA Title V regime on 30 December 2024. National competent authorities (NCAs) are now actively processing CASP authorization files, and several have already issued deficiency notices citing gaps in RTS-mandated disclosures. If your authorization application or ongoing compliance program was built against the Level 1 text alone, you have a problem.

TL;DR

• MiCA Title V (CASPs) has applied since 30 December 2024; Level 2 RTS are legally binding from the same date.
• ESMA's RTS cover authorization content, complaints handling, conflicts of interest, safeguarding of client assets, and prudential requirements — each with granular, prescriptive detail that goes well beyond the Level 1 text.
• NCAs are rejecting or querying authorization files that lack RTS-compliant policies, particularly on conflicts of interest and asset safeguarding.
• Existing MiFID II-licensed firms using the transitional period still need RTS-compliant frameworks in place before the transitional window closes.
• Operationalizing the RTS is a cross-functional project: legal, compliance, finance, technology, and senior management all have deliverables.

What This Regulation Actually Requires

The RTS Architecture: What ESMA Published

ESMA delivered its MiCA Level 2 work in two main tranches. The first tranche, submitted to the European Commission in mid-2024, covered the RTS and ITS directly relevant to CASPs under Title V of Regulation (EU) 2023/1114. The key instruments include:

• RTS on authorization (Article 62 MiCA): specifies the exact information, documents, and format required in a CASP authorization application.
• RTS on complaints handling (Article 71 MiCA): prescribes procedures, timelines (acknowledgment within 5 business days, substantive response within 15 business days for straightforward complaints), and record-keeping obligations.
• RTS on conflicts of interest (Article 72 MiCA): requires a written conflicts policy, a conflicts register updated at least annually, and specific disclosure templates.
• RTS on safeguarding of clients' funds and crypto-assets (Article 70 MiCA): sets out segregation requirements, reconciliation frequency (daily for crypto-assets held in custody), and the conditions under which client assets may be deposited with third-party custodians.
• RTS on prudential requirements (Article 67 MiCA): details the calculation methodology for the fixed overheads requirement and the conditions for using insurance or comparable guarantees as an alternative to own funds.

Authorization Content: More Than a Form-Fill

Article 62 MiCA lists the categories of information required. The RTS operationalizes each category. For the business plan, the RTS requires a three-year financial projection with stress scenarios, not a narrative description. For IT systems, applicants must submit a written description of the system architecture, data governance arrangements, and business continuity plan — including recovery time objectives (RTOs) and recovery point objectives (RPOs) for each critical system.

The governance section demands individual fitness-and-propriety assessments for each member of the management body, with supporting documentation. Regulators in Germany (BaFin) and France (AMF) have both issued Q&A guidance clarifying that CVs alone are insufficient; structured questionnaires aligned to the RTS template are expected.

Safeguarding: The Detail That Trips Firms Up

The safeguarding RTS is where most firms underestimate the workload. Daily reconciliation of crypto-assets held in custody is mandatory. The reconciliation must compare the CASP's internal records against the on-chain position and any third-party custodian records. Discrepancies must be investigated and resolved within one business day.

For client funds (fiat), the RTS requires segregation into accounts at credit institutions or central banks, with written acknowledgment from the institution that the funds are client money and cannot be used to satisfy the CASP's own creditors. This mirrors MiFID II client money rules but adds a crypto-specific layer: if the CASP also holds crypto-assets for the same client, the reconciliation must cross-reference both legs.

Prudential Requirements: The Fixed Overheads Calculation

CASPs must hold own funds equal to the higher of their minimum capital requirement (which varies by service type, ranging from €50,000 for advice-only to €150,000 for custody or trading) and 25% of fixed overheads from the preceding year. The RTS specifies which cost items are "fixed" for this purpose. Variable staff bonuses, for example, are excluded if they're genuinely discretionary and documented as such. Marketing costs tied to variable revenue are also excludable. Get the calculation wrong and you'll either over-capitalize (inefficient) or under-capitalize (regulatory breach).

What This Means for Your Company

The practical impact depends on where you sit in the market.

New entrants seeking authorization face the most immediate pressure. NCAs are working through backlogs, and incomplete files are being returned rather than held pending supplementation. A deficiency notice resets the clock. In some jurisdictions, the authorization clock doesn't formally start until the NCA deems the file complete — so a gap in RTS-required documentation can add months to your timeline.

Firms using the MiCA transitional period (entities that were providing crypto-asset services lawfully under national law before 30 December 2024) have until the earlier of their NCA's transitional deadline or 1 July 2026 to obtain full MiCA authorization. The transitional period does not exempt firms from the conduct-of-business RTS. Complaints handling, conflicts of interest, and safeguarding obligations apply from 30 December 2024 regardless of transitional status.

MiFID II-licensed firms expanding into crypto-asset services face a specific trap: their existing MiFID II frameworks are close to, but not identical to, the MiCA RTS requirements. The complaints handling timelines differ. The conflicts register format differs. Assuming MiFID II compliance equals MiCA compliance is a documented source of deficiency notices.

Custody-only CASPs should pay particular attention to the safeguarding RTS. The daily reconciliation requirement and the third-party custodian acknowledgment letter requirements are operationally intensive and require technology investment, not just policy drafting.

How to Operationalize

This is a cross-functional project. Assign a project owner with authority to pull in legal, compliance, finance, technology, and senior management. Then work through the following:

Step 1: Gap analysis against each RTS Map your existing policies and procedures against the specific requirements of each RTS. Don't do this at a high level. Go article by article. The conflicts of interest RTS, for example, has specific requirements about the format of client disclosures that many firms' existing policies don't address.

Step 2: Authorization file audit If you've already submitted or are preparing an authorization file, audit it against the Article 62 RTS requirements. Check: Is the business plan format compliant? Do the IT system descriptions include RTOs and RPOs? Are individual fitness-and-propriety questionnaires complete for every management body member?

Step 3: Safeguarding infrastructure

• Implement daily crypto-asset reconciliation. This requires a reconciliation tool or workflow that pulls on-chain data, internal ledger data, and third-party custodian data into a single comparison.
• Obtain written acknowledgment letters from all banks holding client fiat funds.
• Document your third-party custodian due diligence process and schedule annual reviews.

Step 4: Complaints handling system

• Configure your CRM or ticketing system to track the 5-business-day acknowledgment and 15-business-day response deadlines.
• Draft the mandatory complaints report template (required to be submitted to your NCA at least annually).
• Train front-line staff on what constitutes a "complaint" under the RTS definition — it's broader than most firms' current definitions.

Step 5: Conflicts register

• Build or update your conflicts register to capture all identified conflicts, the controls applied, and the outcome of any disclosure decisions.
• Schedule the mandatory annual review and document it.
• Prepare the client-facing disclosure template in the format specified by the RTS.

Step 6: Prudential calculation

• Run the fixed overheads calculation using the RTS methodology.
• Document which cost items you've excluded and why.
• Set up a quarterly monitoring process so you catch any breach of the own funds requirement before it becomes a regulatory issue.

Step 7: Senior management sign-off The RTS on authorization requires evidence that the management body has reviewed and approved key policies. Get board or management body minutes documenting approval of the safeguarding policy, conflicts policy, and complaints handling procedure.

Common Mistakes and How to Avoid Them

Treating the RTS as optional guidance. They're not. They're binding technical standards with the same legal force as the Level 1 regulation. NCAs are citing specific RTS articles in deficiency notices.

Copying MiFID II frameworks wholesale. The overlap is real but incomplete. Run a specific delta analysis between your MiFID II policies and the MiCA RTS requirements. The complaints handling timelines alone are different enough to cause a breach.

Underestimating the reconciliation build. Daily crypto-asset reconciliation sounds simple. In practice, it requires reliable on-chain data feeds, a reconciliation engine that handles multiple blockchains and token standards, and a workflow for investigating and escalating discrepancies. Firms that try to do this manually in spreadsheets will fail the operational resilience requirements.

Missing the third-party custodian acknowledgment letters. This is a specific, documented requirement. Your bank or custodian needs to confirm in writing that client assets are segregated and ring-fenced. Some banks are slow to issue these letters. Start the process early.

Assuming the transitional period covers conduct obligations. It doesn't. Safeguarding, complaints handling, and conflicts of interest obligations apply from 30 December 2024 for all CASPs, including those relying on the transitional period for authorization.

Letting the prudential calculation drift. Own funds requirements are dynamic — they move with your fixed overheads. A firm that grows rapidly can find itself in breach without realizing it. Quarterly monitoring is the minimum; monthly is better.

FAQ

Q: Does the MiCA transitional period mean we don't need to comply with the RTS yet?

A: No. The transitional period under Article 143(3) MiCA allows firms that were lawfully providing crypto-asset services before 30 December 2024 to continue operating without a MiCA authorization until the earlier of their NCA's deadline or 1 July 2026. But the conduct-of-business obligations — including the RTS on safeguarding, complaints handling, and conflicts of interest — apply from 30 December 2024 regardless of transitional status.

Q: Our NCA hasn't published specific guidance on the RTS. Do we follow ESMA's text directly?

A: Yes. The RTS are EU-level instruments and apply directly without requiring national transposition. ESMA's Q&A on MiCA (updated periodically) is the primary interpretive resource. Some NCAs have published supplementary guidance — BaFin and AMF have been most active — but where national guidance is silent, the RTS text governs.

Q: We're a MiFID II-licensed firm adding crypto-asset custody. Do we need a separate CASP authorization?

A: Yes, for crypto-asset custody specifically. MiFID II authorization doesn't cover crypto-asset services as defined in MiCA. You'll need a CASP authorization for each crypto-asset service you intend to provide, unless a specific exemption applies. The Article 60(3) MiCA simplified procedure for MiFID II-licensed firms reduces some documentation requirements but doesn't eliminate the authorization requirement.

Q: How often must we update the conflicts register?

A: The RTS requires at least annual review and update of the conflicts register. But the register must also be updated whenever a new conflict is identified or an existing conflict's status changes. Annual is the floor, not the ceiling.

Q: What happens if our own funds fall below the required level?

A: You must notify your NCA immediately and submit a remediation plan. Continued operation while in breach of prudential requirements is a serious violation that can result in authorization suspension or withdrawal. The RTS doesn't specify a cure period — that's at NCA discretion — so the practical answer is: don't let it happen. Build monitoring into your monthly financial close process.

---

Sources

• Regulation (EU) 2023/1114 of the European Parliament and of the Council on markets in crypto-assets (MiCA), OJ L 150, 9 June 2023
• ESMA Final Report on MiCA RTS (first package), ESMA75-453128700-1138, published 2024 — available via esma.europa.eu
• ESMA Questions and Answers on MiCA, periodically updated — available via esma.europa.eu
• European Banking Authority (EBA) and ESMA joint technical standards on MiCA prudential requirements — available via eba.europa.eu

---

Disclaimer

This article is produced by BizLegal-AI Intelligence Desk for informational purposes only. It does not constitute legal advice and does not create an attorney-client relationship. Regulatory requirements under MiCA and associated Level 2 technical standards are subject to ongoing development, NCA interpretation, and amendment. Readers should consult qualified legal counsel in the relevant jurisdiction before making compliance decisions. BizLegal-AI makes no representations as to the completeness or accuracy of this content as applied to any specific factual situation.